Several healthcare institutions store and process people's personal health data and make the data available to their employees. Hospitals, for example, store information related to the health status and treatment of their patients and provide those data to their care providers such as nurses, physicians, or staff. The medical data, however, are often very sensitive. A healthcare institution should protect the privacy of their patients by exercising care when they allow care providers access the data. In particular, many privacy laws mandate the health care providers to limit accesses to their records. For example, in the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPPA) requires that hospitals protect the sensitive data in their electronic medical record systems by only allowing minimum necessary accesses to those data.
To comply with the privacy requirements, some institutions establish limited access policies. These policies limit access to some types of data or by some care providers. Some institutions establish such policies by enforcing access permissions based on a care provider's position or the provider's relationship with a patient. Some hospitals, for example, may establish access permissions that allow viewing of medical records in a department only to providers that are in that department, or allow modifying of a patient's records only to the patient's physicians and their staff. Such limited access policies, however, are often arbitrary and may not fit all scenarios in which access is needed.
Healthcare organizations, thus, often find it difficult or impractical to establish limited access policies according to the privacy laws. Organizations realize that to provide an optimum service, they may need to allow access to the data to a variety of care providers. These care providers may need to view or edit the data under different routine or emergency situations. For example, different medical providers may need to view the records of a patient to provide the patient with a service such as medication, lab test, or appointment. Additionally, in a medical emergency, a patient may be treated by any care provider and not just those that routinely treat the patient. Thus, in an emergency, any provider may legitimately need to access the patient's records.
Therefore, establishing limited access policies may add to the costs or bureaucratic overheads. In exceptional cases such as emergencies, for example, when an access is necessary but not permitted, a care provider may have to seek a special permission or request another care provider with the right permissions to access some data.
To address the shortcomings of limited access policies, some institutions establish an open access policy. According to open access policies, a large number of care providers in the organization can access or modify the records of a large number of patients. In some cases, any provider can essentially view or edit the records of any patient. Such open access policies avoid the inflexibilities of limited access policies, but open the door for abuse or breach of privacy laws.
To address the privacy issues with the open access policies, some institutions maintain access logs that record details of occasions in which a provider accesses a patient's records. The organization occasionally audits the logs, that is, reviews the access logs in search of evidence of accesses that are nefarious or violate privacy laws. Such accesses may include an occasion that a patient's record is accessed by a healthcare provider who is not directly involved with a patient's routine or emergency care and instead accesses the records for personal gains. The audits, however, are often subjective, and either costly or inefficient. The audits often result in several false negatives or false positives. The errors occur because the access logs are usually very large and searching through them is a cumbersome task. A reviewer may easily overlook an unauthorized access among a large number of legitimate accesses. Further, many accesses may seem unreasonable upon first view, but after further investigation turn out to be legitimate. For example, a care provider may need to access the records of a patient not under the provider's care for legitimate reasons such as providing advice to another provider, providing care to another patient whose treatment schedule overlaps with the first patient's treatment, or collecting statistics. Determining whether an access is legitimate or unauthorized may require resolving complex questions, a task that is often cumbersome and costly.
Many organizations, therefore, either perform inefficient audits that overlook privacy breaches, or forgo audits altogether, which will leave the organization vulnerable to privacy breaches and violation of privacy laws.